The total amount of fines paid by companies worldwide for non-compliance with mandatory requirements reached $14 billion in 2024. Regulatory, tax, standards, and professional association requirements continue to grow in both volume and complexity, placing increasing pressure on businesses. The number of documents to comply with is rising, and their contents are becoming more intricate. What can IT domains like RegTech and the concept of Compliance-as-Code offer in addressing this issue? Feride Osmanova, Senior Backend Engineer at an international IT company, shares insights.
Machine-readable law is still in its early stages of development. Only a small percentage of lawmakers currently create and update coded versions of legal documents—smart contracts on the blockchain or at least XML-based data sets. Where such versions do exist, audits can be automatically launched within corporate ecosystems to assess how well the requirements are integrated into business processes.
According to experts, widespread creation of machine-readable laws is expected within the next 5–10 years. By 2030, machine-readable formats may become standard in industries where regulations lend themselves to algorithmic interpretation.
Rules as Code (RaC): How laws become executable code
Compliance-as-Code is the idea of automating adherence to numerous and constantly evolving regulatory, legal, industry-specific, and other mandatory requirements. Unlike Compliance-as-Policy, where a company maintains a machine-readable format for its own internal policies and procedures, Compliance-as-Code is not yet widely implemented globally. Mandatory requirements are, by nature, an external data source. To automate compliance with a given document, companies must rely on this source and consistently integrate the machine-readable version of current requirements—or other structured data—into their DevOps and Agile workflows to ensure fully automated compliance.
The benefit: costly internal compliance audits involving human auditors and the need for external consulting due to complex and ever-changing regulations can be eliminated. What used to take hours or days now takes minutes, is inexpensive, and requires little to no ongoing attention from developers or testers.
Which laws are most automatable?
Unfortunately, few laws are available in machine-readable format directly from legislators. Only a handful of pilot projects exist in the EU and the US. Most often, companies automate implementation and compliance with documentation related to information security and cybersecurity:
- GDPR (General Data Protection Regulation – European personal data protection standard)
- PCI DSS (Payment Card Industry Data Security Standard)
- ISO 27001 (Information Security Management Systems)
- HIPAA (Health Insurance Portability and Accountability Act – US)
Why is cybersecurity compliance—such as with GDPR—the most commonly automated? It’s not because the authors provide machine-readable metadata or versions of the requirements in code format. Rather, these documents are relatively unambiguous and well-structured, making them suitable for automation.
DSLs and frameworks: turning requirement text into code
The rigid structure of these texts enables developers and framework creators to write applications that decompose requirements into specific conditions. These conditions can then be checked using neural networks, AI tools, or even simple scripts that compare the stated requirements with the configuration of a company’s servers or working environments.
For example, using a Domain Specific Language (DSL) such as InfoSec, GDPR specifications can be transformed into code.
GDPR includes a number of requirements regarding how user authentication must be organized to protect personal data. Specific technology options are prescribed to achieve this. Developers just need to read the code, identify which tools or frameworks are required, and check whether they exist in the company’s ecosystem.
General-purpose programming languages like Python are poorly suited for transforming text-based requirements into executable code. While Python does offer libraries (e.g., compliancelib) for converting documents into machine-readable formats, DSLs are generally better equipped to handle the complexity. This is why DSLs are preferred for reliable, periodic compliance verification and integration.
Popular Compliance-as-Code platforms—alternatives to DSLs and frameworks—include Alessa, Hyperproof, and Simublade.
Other noteworthy DSLs include AD-DSL, Controlled Natural English DSL, and others.
Notable Compliance-as-Code Projects
Several projects come close to realizing the Compliance-as-Code ideal:
- OpenFisca (France): An API that translates tax legislation into code. It works with laws from multiple countries and can generate results even if no predefined logic exists for a specific jurisdiction—users just supply the necessary documents via the API.
- RegTech & SupTech (UK): A project by the UK’s FCA to publish machine-readable versions of financial reporting requirements.
- ABACUS (Austria): Initiated by the Austrian National Bank to automatically receive financial control data in machine-readable format.
- Digital Lawyer (Russia): A chatbot developed by Sber that extracts legally significant information from uploaded documents.
Other interesting projects are being implemented in India, Australia, Germany, China, and various other digitally advanced economies.
Implementing requirements received as code
Once requirements are received in code form, they must be integrated into DevOps pipelines, Git rules, and configuration files. Tools like Ansible, Chef, Puppet, and Terraform support this by declaratively managing IT infrastructure.
These tools help ensure that changes in infrastructure don’t disrupt compliance processes, thereby protecting the company from costly fines.
It’s also worth noting that many major cloud providers (e.g., Amazon Web Services) now offer built-in tools to support Compliance-as-Code.
Don’t forget encryption!
Data must be encrypted. When dealing with machine-readable data, cloud storage vulnerabilities become even more critical. One of the most in-demand libraries for Compliance-as-Code-based applications is OpenFHE. This framework tracks “noise” during data transmission and handles legal document interpretation errors that may arise due to ambiguity.
Other advantages of OpenFHE include fine-tuned cryptographic parameter settings. The library is so advanced that it’s used as the de facto standard for compliance with the EU’s Digital Operational Resilience Act (DORA), enabling secure “data-in-use” processing.
OpenFHE fully supports homomorphic encryption and is resistant to quantum cyberattacks.
Audits and certification: auto-generating audit evidence
If successful compliance with a document’s requirements must lead to external audit certification, then the DevOps and compliance infrastructure must be able to automatically generate audit evidence.
This requires logging and documenting proof of compliance that auditors can verify.
Real-world Case Study: Project Mandala
Launched in 2023, Project Mandala involves major global banks, including the central banks of Singapore (MAS) and the UK (BoE), and six other international banks. They agreed to maintain compliance using machine-readable regulatory requirements and code-based reporting.
Technologies like smart contracts and tokenization were used to secure machine-readable data. Automating transactions and mutual audits significantly reduced compliance costs.
Additional savings came from the fact that automated tools instantly detected violations, and ongoing updates ensured compliance even as regulations changed.
As a result, the speed of regulatory implementation, data transparency, and security increased, while the time and cost to achieve compliance dropped dramatically.
Conclusions
Beyond direct fines, companies that fail to manage compliance may suffer immense indirect losses. According to a recent Deloitte Global Risk Management Survey, companies found to be in violation of regulations lose 10–15% of potential profits, as prospective clients avoid doing business with non-compliant firms.
Ensuring full compliance, including all updates and nuances, truly is a million-dollar question—and the answer is Compliance-as-Code.
